Security Experts:

Connect with us

Hi, what are you looking for?



Yahoo Awarded Researchers Over $1 Million in Bug Bounty Program

Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.

Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.

According to Ramses Martinez, senior director and interim CISO at Yahoo, the company has received 10,000 submissions from 1,800 researchers since the launch of the vulnerability rewards program. A total of 600 researchers reported valid security flaws, 1,500 of which have resulted in a bounty payout.

The monthly validity rate of vulnerability reports is currently 15 percent, which represents a 5 percent increase compared to the end of 2014. Martinez noted that 87 percent of reporters have submitted less than 10 bugs, and half of all submissions are from the top 6 percent of contributors.

“A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid,” Martinez said in a blog post.

“The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program,” he added.

Before October 2013, researchers who reported vulnerabilities to Yahoo were awarded a $12.50 voucher. After numerous complaints, Yahoo launched a proper bug bounty program via HackerOne and promised contributors between $50 and $15,000 based on the severity of the bugs.

In October 2014, Yahoo reported paying out over $700,000 to researchers through its bug bounty program and now the total amount has increased to more than $1 million.

In comparison, Facebook said in February that it had paid out a total of $3 million since the launch of its vulnerability rewards program four years ago. The social media giant awarded researchers $1.3 million in 2014 alone.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.